Language Selection

English French German Italian Portuguese Spanish

Visa to Bar Transactions by Processor

Filed under

Visa USA said yesterday that it would stop allowing the payment processor CardSystems Solutions to handle its transactions, months after the processor left the records of millions of cardholders at risk for fraud.

"CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for those accounts," said Tim Murphy, Visa's senior vice president for operations in a memorandum sent to several banks. "Visa USA has decided that CardSystems should not continue to participate as an agent in the Visa system."

Cardholders and merchants should not be affected by the change.

Visa said its decision to remove CardSystems came after a review and an independent investigation found that the payment processor had improperly stored cardholder data and did not have the proper controls in place.

It is unclear if MasterCard and American Express will take similar action, but with Visa accounting for more than half of all card transactions, the move raises questions about the future of CardSystems.

"I've never heard of them booting off a processor," said Avivah Litan, a security analyst at Gartner Inc., a technology research group. "The worst thing that I've heard is a processor that had to cough up $1 million."

The move came at least two months after Visa first learned that data had been compromised and just days before its executives, along with those of other major card companies, have been called to testify in Washington about their security practices. The chief executive of CardSystems, John M. Perry, is also expected to testify on Thursday.

In a statement released yesterday, CardSystems said Visa's decision was unexpected and upsetting. "We are disappointed and very surprised that Visa has decided to take this action today, not only because of the impact that it will have on our employees, but the disruption that it will cause to our 110,000 merchant customers," the processor said in a statement. "We hope that Visa will reconsider."

Visa has given at least 11 banks, which hired CardSystems to handle the merchant transactions, until the end of October to change processors, the memo said. Until then, CardSystems will be allowed to process Visa transactions as long as it has corrected any problems and allows a Visa-affiliated monitor on site to oversee its operations in Tucson. CardSystems is also banned from handling Visa transactions from its international affiliates or any new merchants, processors or member banks in the United States.

Visa had been weighing the decision for a few weeks but as recently as mid-June said that it was working with CardSystems to correct the problem. CardSystems hired an outside security assessor this month to review its policies and practices, and it promised to make any necessary upgrades by the end of August. CardSystems, in its statement yesterday, said the company's executives had been "in almost daily contact" with Visa since the problems were discovered in May.

Visa, however, said that despite "some remediation efforts" since the incident was reported, the actions by CardSystems were not enough.

"Visa cannot overlook the significant harm the data compromise and CardSystems' failure to maintain the required security protections has had on member financial institutions and merchants as well as the significant concerns it raised for cardholders," the company said in a statement.

At this point, it is unclear what the other branded card companies will do. MasterCard has previously said that it was giving CardSystems a "limited amount of time to demonstrate compliance with MasterCard security requirements" but never laid out a specific timetable.

Sharon Gamsin, a MasterCard spokeswoman, did not return calls seeking comment. Judy Tenzer, an American Express spokeswoman, said the company did not comment about its relationships with vendors. Leslie Sutton, a Discover Financial spokeswoman, could not offer an immediate response.
Visa's decision is the latest development since the disclosure in mid-June that the CardSystems computer network had been compromised, putting the cardholder names, account numbers and security codes of as many as 40 million credit and debit cardholders at risk for fraud. The information of about 22 million Visa cardholders was exposed; MasterCard reported the data of 14 million of its cardholders was potentially at risk; and the rest largely belonged to customers of American Express and Discover.

At the time, Mr. Perry of CardSystems acknowledged that the company had been improperly storing data, violating Visa and MasterCard security rules. He said data thieves directly obtained information related to some 200,000 cardholder accounts. The F.B.I and a group of federal banking regulators are now investigating.
In its statement, Visa offered its most scathing indictment of those security violations to date. The chief executive of CardSystem had "stated that the company knowingly retained unmasked magnetic stripe cardholder data, purportedly for 'research purposes,' " Visa said. "Visa's security requirements were adopted precisely for the purpose of protecting cardholder information and guarding against the type of data compromise recently experienced by CardSystems."

In the letter Visa sent to the banks, Mr. Murphy suggested that the data breach occurred as early as August 2004.

The New York Times.

More in Tux Machines

This Linux computer may be smaller than a coin, but it packs some big computing power

Whether you think they’re a novelty, sneaky powerful, or just seriously cute, microcomputers are here to stay. Find out what all the fuss is about with the versatile, ultra-adaptable VoCore 2 Linux mini computer, paired with an Ultimate Dock for just $42.99. If you’ve never experimented with a microcomputer like the VoCore 2, you may be surprised by how much you can do with this tiny open source computer and wireless router. The VoCore 2’s 580 MHz processor is ready to handle almost any coding plan, including Java, JavaScript, Python, and Ruby projects. Read more Also: Daily Deal: VoCore2 Mini Linux Computer And Ultimate Dock

Nantes: Open source cuts off recurring charges

Switching to open source means the end of the periodic recurring charges from proprietary software vendors, says Eric Ficheux, change management specialist at Nantes Métropole, France’s 6th largest city. “The total cost of ownership of LibreOffice is far lower than of its proprietary predecessor”, he says. Read more

LinuxAndUbuntu Review Of Gentoo Linux - A Linux Distro For Advanced Users

Many people think that Gentoo is just another Linux distro, but it is wrong. Gentoo Linux is a special, different and powerful Linux distribution, because it isn’t like other systems that have pre-compiled software and tools for easy management, in Gentoo the user must configure everything. Read

today's leftovers

  • Windows Btrfs Driver Updated With New Capabilities (WinBtrfs)
  • Install Laravel on Ubuntu 16.04
  • 'Tether' a very promising UE4 first-person adventure game will be coming to Linux
    It's not often a trailer leaves me begging for more, but 'Tether' [Steam Greenlight, Official Site] ticked all my boxes. The developer is using UE4 and claims the Linux builds are working as expected.
  • If you're in the mood for a decent Zombie survival game, don't pass up on Project Zomboid
    Project Zomboid [Steam, GOG, Official Site] is the rather good sandbox Zombie survival game from The Indie Stone, and it has come a long way! It doesn't have a SteamOS icon on Steam, as Valve removed it a long time ago as it (and a bunch of other games) wouldn't launch correctly on SteamOS. It works perfectly fine on a normal Linux distribution and I assure you the Linux version is still on Steam and perfectly up to date.
  • GTK+ 3.22.2 Deprecates APIs That Will Be Removed in GTK+ 4, Improves Win32 Theme
    Today, October 24, 2016, the GTK+ development team released the second stable maintenance update to the GTK+ 3.22 GUI (Graphical User Interface) toolkit for GNOME-based desktop environments. GTK+ 3.22.2 comes just two weeks after the release of GNOME 3.22.1 and in time for the upcoming GNOME 3.22.2 milestone, which will also be the last one pushed for the GNOME 3.22 series. GTK+ 3.22.2 is mostly a bugfix release, but also adds various improvements to the win32 theme and deprecates APIs (Application Programming Interface) that'll be removed in the next major branch, GTK+ 4.
  • No One Is Buying Smartwatches Anymore
    Remember how smartwatches were supposed to be the next big thing? About that... The market intelligence firm IDC reported on Monday that smartwatch shipments are down 51.6 percent year-over-year for the third quarter of 2016. This is bad news for all smartwatch vendors (except maybe Garmin), but it’s especially bad for Apple, which saw shipments drop 71.6 percent, according to the IDC report Apple is still the overall smartwatch market leader, with an estimated 41.3-percent of the market, but IDC estimates it shipped only 1.1 million Apple Watches in Q3 2016, compared with 3.9 million in 2015. To a degree, that’s to be expected, since the new Apple Watch Series 2 came out at the tail-end of the quarter. But the news is still a blow, when you consider how huge the Apple Watch hype was just 18 months ago.
  • 10 must-have Android apps for Halloween
  • What’s wrong with Git? A conceptual design analysis
    We finished up last week talking about the how to find good concepts / abstractions in a software design and what good modularization looks like. Today’s paper jumps 40+ years to look at some of those issues in a modern context and a tool that many readers of this blog will be very familiar with: Git. With many thanks to Glyn Normington for the recommendation. [...] The results of the reworking are made available in a tool called gitless, which I’ve installed on my system to try out for a few days. (Note: if you use oh-my-zsh with the git plugin then this defines an alias for gl which you’ll need to unalias). As of this paper (2013), Gitless was only just beginning as a project, but it continues to this day and tomorrow we’ll look at the 2016 paper that brings the story up to date. The kinds of concepts the authors are interested in are those which are essential to the design, to an understanding of the workings of the system, and hence will be apparent in the external interface of the system, as well as in the implementation.